The cover images for this post is by Alvaro Reyes
I've had an idea for a series floating around in my head for a while
baking security into a new website, as soon as a client approaches me
I even ended up rubber ducking this idea in a recent comment thread:
I've use Feedify and QR Codes in one post (shortly before the first instance of MageCart), a discussion on OWASP, and how it could ruin your company or brand as examples about why folks should look into this in the past. Especially since it's a relatively easy problem to solve.
I feel like you could make it into a series of posts. Even as someone who knows this stuff and how to implement it, I'd love to read a series where the author goes from "here's the theory" through "here's my initial plan", to "here's why my assumptions were wrong" (because with CSP, they will be) to "here's the finished headers for my site".
A lot of folks who write about headers tend to focus on the first and last step here, but devs need to know that the middle part is hard. Maybe you could cover that, or nominate someone to do so. Maybe I'll take a whack at it with an app for one of my clients 😉
Those who have been keeping up with my writing will know that I've written about this topic before, but always from a more theoretical view:
But in this series, I'll be taking you through the whole process. From no webapp all the way up to a webapp with security headers, with everything in between.
Aside from the fact that I do this for every webapp that I create, I've noticed that almost no one who talks about these things covers the middle step - which is the pain that you feel when the CSP still doesn't work, or when the marketing person wants to add an insecure feature to the site without checking with you first (which is the most likely thing).
Seriously, you'll probably spend the most time trying to figure out where all of your disperate JS and frames are loading in from, and will be scratching your head as to why these things are being loaded in. In that way, creating a CSP alone can help with performing a sort of spring clean on your application, but we'll get to that in a later post.
I'd say that you can expect practical advice for implementing recommended security headers into your web application, by example.
Exactly how you add these headers will differ, depending on which technology you're building your webapp with. So I won't spend much time on actually how to add them to your app (though most technologies offer a similar approach).
I'm going to be building a real app, for a real client of mine, and will document the process. I'll also link to a dev.to specific build of the app, as I'm building it, so that you can all see it being built up.
(I'll also provide the source code)
So stick around, watch this space, and you might learn a few things - hopefully.